Aziz's Blog

CVE-2025-54336: Plesk Obsidian Authentication Bypass Vulnerability

· Aziz

TLDR; I found an authentication bypass in Plesk Obsidian. the admin password check uses PHP’s loose comparison (==) instead of strict (===). if the admin password looks like scientific notation (0e012345678234323232), PHP treats it as 0.0, so you can login with any string that also equals 0.0

the bug

quick context - plesk has 3 types of accounts:

  • normal users: passwords are hashed properly in the database
  • system users: authenticate via PAM
  • admin user: password is encrypted (not hashed) and checked differently ← this one’s vulnerable

plesk’s admin password validation in admin/plib/LoginManager.php:

return $password == get_admin_password();

this is classic PHP type juggling. when the admin password is something like “0e012345678234323232”, PHP sees it as 0.0 in scientific notation.

so if you send “0e0” or “0.0” or even “00” as the password, PHP does: 0.0 == 0.0 → true → you’re in.

PoC

set a vulnerable password:

plesk bin admin --set-password -passwd 0e012345678234323232

login with:

  • username: admin
  • password: 0e0

boom, admin access.

details

  • affects: Plesk Obsidian ≤18.0.71 (tested on 18.0.70, 18.0.71)
  • CVE: CVE-2025-54336

note: normal users aren’t affected since their passwords are properly hashed. only the admin user has this weird encrypted password check that’s vulnerable.